samba - Jul 2011 - Problems with BDC authentication

Today we had a problem with our Win NT4 PDC and discovered numerous 
failover issues with our Samba file server.

For starters, this is a Debian Etch machine running Samba-3.0.24-2.  At 
this point, this is a critical production machine.  Upgrading is on our 
to-do path, but is not an option for an immediate fix to this problem. 
With the exception of this problem, this Samba installation has been 
very stable thus far.

The issue is that when the PDC died, the Samba server was unable to 
authenticate any users.  I have security set to domain and the password 
server directive is set to *

When I do an nmblookup on the wins server specified in smb.conf I get:

nmblookup -U WINSSVR  -R DOMAIN#1C10.0.0.30 DOMAIN1<1c>
10.0.0.X DOMAIN<1c>
192.X.X.X DOMAIN<1c>

So the wins server can see both PDC and BDC.

If I try any of the following:
net rpc join -S BDC -U Administrator
net join -S BDC -U Administrator
net rpc join member -S BDC -U Administrator
net join -S BDC member -U Administrator

I get:
Creation of workstation account failed

Even though the BDC shows that this machine already has an account 
(replicated at some point from the PDC).

If I try this command without any -S servers listed, it give me a "No 
Suitable Server Found" error.

Can anyone help me fix this? I am trying to stabilize the NT PDC, but it 
becomes even more difficult to do when I can't take it offline since the 
Samba server seems to not be using the BDC.

Thanks.

-Ron

On 07/01/2011 03:12 PM, Ron Garc?a-Vidal wrote:
> Today we had a problem with our Win NT4 PDC and discovered numerous
> failover issues with our Samba file server.
>
> For starters, this is a Debian Etch machine running Samba-3.0.24-2. At
> this point, this is a critical production machine. Upgrading is on our
> to-do path, but is not an option for an immediate fix to this problem.
> With the exception of this problem, this Samba installation has been
> very stable thus far.
>
> The issue is that when the PDC died, the Samba server was unable to
> authenticate any users. I have security set to domain and the password
> server directive is set to *
>
> When I do an nmblookup on the wins server specified in smb.conf I get:
>
> nmblookup -U WINSSVR -R DOMAIN#1C10.0.0.30 DOMAIN1<1c>
> 10.0.0.X DOMAIN<1c>
> 192.X.X.X DOMAIN<1c>

The problem turned out to be that there were three WINS servers 
configured in the smb.conf.  2 of the three WINS servers do not know 
about the BDC.  The third does.  When I defined only the third in 
smb.conf, we had no authentication outage.

So the real issue then is why don't the other two WINS servers see the 
BDC?  Of the two WINS servers, one is another Debian Etch box with Samba 
3.0.21a-4 and the other is Debian Lenny running Samba 3.2.5-4.  (The 
working WINS Server is Lenny with Samba 3.2.5-4 as well)

The smb.conf for all three boxes have the same WINS settings:
name resolve order = host lmhosts bcast
max ttl = 259200
max wins ttl = 518400
min wins ttl = 21600
dns proxy = Yes
wins proxy = No
wins support = Yes

Of the three, one of the non-working WINS servers is on the same subnet 
as the working WINS server and the PDC.  The BDC is not on the same 
subnet as any of these guys.

Working WINS: 192.X.X.X
NonWorking WINS: 192.X.X.Y
PDC: 192.X.X.Z
BDC: 10.0.0.X
NonWorking WINS: 10.10.12.X

Any help in trouble-shooting this would be greatly appreciated.

From: Ron_Garc?a-Vidal <ghstwrtr at evilgenius.net>
Date: Fri, 01 Jul 2011 18:28:03 -0400
> On 07/01/2011 03:12 PM, Ron Garc?a-Vidal wrote:
> 
> The problem turned out to be that there were three WINS servers 
> configured in the smb.conf.  2 of the three WINS servers do not know 
> about the BDC.  The third does.  When I defined only the third in 
> smb.conf, we had no authentication outage.
Currently Samba WINS server does not support replication. So the WINS
databases of these 3 WINS servers are not synclonized. 

Try to use samba4wins or another replication solution.

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>